ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.

ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

Much of the power of modern Web comes from the ability of a Web page to combine contents and JavaScript code from
disparate servers on the same page. While the ability to create such mash-ups is attractive for both the user and the
developer because of extra functionality, because of code inclusion, the hosting site effectively opens itself up for
attacks and poor programming practices within every JavaScript library or API it chooses to use. In other words,
expressiveness comes at the price of losing control. To regain the control, it is therefore valuable to provide means
for the hosting page to restrict the behavior of the code that it may include.

This paper presents ConScript, an client-side advice implementation for security, built on top of Internet Explorer 8.
ConScript allows the hosting page to express fine-grained application-specific security policies that are enforced at
runtime. In addition to presenting 17 widely-ranging security and reliability policies that ConScript enables, we also
show how policies can be generated automatically through static analysis of server-side code or runtime analysis of
client-side code. We also present a type system that helps ensure correctness of ConScript policies. To show the
practicality of ConScript in a range of settings, we compare the overhead of ConScript enforcement and conclude that it
is significantly lower than that of other systems proposed in the literature, both on micro-benchmarks as well as
large, widely-used applications such as MSN, GMail, Google Maps, and Live Desktop.